Add tls support to che operator updates

Signed-off-by: flacatus <flacatus@redhat.com>
2020-07-08 15:31:43 +02:00 · 2020-07-08 15:31:43 +02:00 · ad7df6abbf
parent adfe698031
commit ad7df6abbf
5 changed files with 74 additions and 4 deletions
--- a/.ci/cico_updates_minikube.sh
+++ b/.ci/cico_updates_minikube.sh
@ -86,7 +86,21 @@ waitCheUpdateInstall() {
  fi
 }

+self_signed_minikube() {
+  export DOMAIN=*.$(minikube ip).nip.io
+
+  source ${OPERATOR_REPO}/.ci/util/che-cert-generation.sh
+
+  kubectl create namespace che
+  kubectl create secret tls che-tls --key=domain.key --cert=domain.crt -n che
+  cp rootCA.crt ca.crt
+  kubectl create secret generic self-signed-certificate --from-file=ca.crt -n che
+}
+
 testUpdates() {
+  # Create certificates for tests purpose
+  self_signed_minikube
+
  "${OPERATOR_REPO}"/olm/testUpdate.sh ${PLATFORM} ${CHANNEL} ${NAMESPACE}
  printInfo "Successfully installed Eclipse Che previous version."

--- a/.ci/cico_updates_minishift.sh
+++ b/.ci/cico_updates_minishift.sh
@ -62,7 +62,6 @@ installLatestCheStable() {
  export previousPackageVersion=$(echo "${previousCSV}" | sed -e "s/${packageName}.v//")

  # Add stable Che images and tag to CR
-  sed -i "s/tlsSupport: true/tlsSupport: false/" ${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml
  sed -i "s/cheImage: ''/cheImage: quay.io\/eclipse\/che-server/" ${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml
  sed -i "s/cheImageTag: ''/cheImageTag: ${previousPackageVersion}/" ${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml
  sed -i "s/devfileRegistryImage: ''/devfileRegistryImage: quay.io\/eclipse\/che-devfile-registry:"${previousPackageVersion}"/" ${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml
@ -70,7 +69,7 @@ installLatestCheStable() {
  sed -i "s/identityProviderImage: ''/identityProviderImage: quay.io\/eclipse\/che-keycloak:"${previousPackageVersion}"/" ${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml

  # Start last stable version of che
-  chectl server:start --platform=minishift --che-operator-cr-yaml=${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml \
+  chectl server:start --platform=minishift --skip-kubernetes-health-check --che-operator-cr-yaml=${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml \
    --che-operator-image=quay.io/eclipse/che-operator:${previousPackageVersion} --installer=operator
 }

@ -98,8 +97,30 @@ waitForNewCheVersion() {
  fi
 }

+self_signed_minishift() {
+  export DOMAIN=*.$(minishift ip).nip.io
+
+  source ${OPERATOR_REPO}/.ci/util/che-cert-generation.sh
+
+  #Configure Router with generated certificate:
+
+  oc login -u system:admin --insecure-skip-tls-verify=true
+  oc project default
+  oc delete secret router-certs
+
+  cat domain.crt domain.key > minishift.crt
+  oc create secret tls router-certs --key=domain.key --cert=minishift.crt
+  oc rollout latest router
+
+  oc create namespace che
+
+  cp rootCA.crt ca.crt
+  oc create secret generic self-signed-certificate --from-file=ca.crt -n=che
+}
+
 testUpdates() {
  # Install previous stable version of Eclipse Che
+  self_signed_minishift
  installLatestCheStable

  # Create an workspace
--- a/.ci/util/che-cert-generation.sh
+++ b/.ci/util/che-cert-generation.sh
@ -0,0 +1,36 @@
+#!/bin/bash
+
+#
+# Copyright (c) 2012-2020 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+
+#Declare CN
+export CA_CN=eclipse-che-signer
+
+#Create Root Key
+openssl genrsa -out rootCA.key 4096
+
+#Create and self sign the Root Certificate
+openssl req -x509 -new -nodes -key rootCA.key -subj /CN=${CA_CN} -sha256 -days 1024 -out rootCA.crt
+
+#Create the certificate key
+openssl genrsa -out domain.key 2048
+
+#Create the signing (csr)
+openssl req -new -sha256 -key domain.key -subj "/C=US/ST=CK/O=RedHat/CN=${DOMAIN}" -out domain.csr
+
+#Verify Csr
+openssl req -in domain.csr -noout -text
+
+#Generate the certificate using the domain csr and key along with the CA Root key
+openssl x509 -req -in domain.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out domain.crt -days 500 -sha256
+
+#Verify the certificate's content
+openssl x509 -in domain.crt -text -noout
--- a/.ci/util/ci_common.sh
+++ b/.ci/util/ci_common.sh
@ -151,7 +151,7 @@ getCheAcessToken() {
  if [[ ${PLATFORM} == "openshift" ]]
  then
    KEYCLOAK_HOSTNAME=$(oc get route -n ${NAMESPACE} keycloak --template={{.spec.host}})
-    TOKEN_ENDPOINT="http://${KEYCLOAK_HOSTNAME}/auth/realms/che/protocol/openid-connect/token"
+    TOKEN_ENDPOINT="https://${KEYCLOAK_HOSTNAME}/auth/realms/che/protocol/openid-connect/token"
    export CHE_ACCESS_TOKEN=$(curl --data "grant_type=password&client_id=che-public&username=admin&password=admin" -k ${TOKEN_ENDPOINT} | jq -r .access_token)
  else
    KEYCLOAK_HOSTNAME=keycloak-che.$(minikube ip).nip.io
--- a/olm/olm.sh
+++ b/olm/olm.sh
@ -202,7 +202,6 @@ applyCRCheCluster() {

  CRs=$(yq -r '.metadata.annotations["alm-examples"]' "${packageFolderPath}/${PACKAGE_VERSION}/${packageName}.v${PACKAGE_VERSION}.clusterserviceversion.yaml")
  CR=$(echo "$CRs" | yq -r ".[0]")
-  CR=$(echo "$CR" | yq -r ".spec.server.tlsSupport = false")
  if [ "${platform}" == "kubernetes" ]
  then
    CR=$(echo "$CR" | yq -r ".spec.k8s.ingressDomain = \"$(minikube ip).nip.io\"")